Flash Saver Maker allows you to make your own screensavers from your favorite Macromedia Flash movies. You can make your own screensavers direct from your Flash .SWF files, or even from your Flash executables. It is even possible to select multiple Flash files in one time, Flash Saver Maker plays them one by one, and then loops movies! If you like , you can turn all sound coming from the projector file off, and add mp3,midi or wav sound files as your own background sounds.
计算方法
No programming skills needed: just add flash files to your screen saver with a point-and-click. Flash Saver Maker consists of a great interface, very nice to view and easy to use. It only takes you about 1 minute to have your own screen saver.
Full support for password in both Win95/98 and WinNT/2000.
但是主程序只有20K!老外的软件真值得学习!Delphi的程序居然能写的这么小!
OD跟踪,一旦F9就显示程序结束,但是程序明明还在运行的……,查看内存中的进程,有如下的进程:
【Process=FFFAB38F Name=FLASHSAVER Window=DDE Server Window Path=C:WINDOWSSYSTEMFLASHSAVER.SCR】
这个东西是唯一一个和这个程序有点相似的东西了,……
重新跟踪:
00403D40 > $ 55 PUSH EBP------------------------------->程序开始
00403D41 . 8BEC MOV EBP,ESP
00403D43 . 83C4 F4 ADD ESP,-0C
00403D46 . B8 183D4000 MOV EAX,SAVERLAU.00403D18
00403D4B . E8 E4FEFFFF CALL SAVERLAU.00403C34
00403D50 . 33C0 XOR EAX,EAX
00403D52 . 55 PUSH EBP
00403D53 . 68 123E4000 PUSH SAVERLAU.00403E12
00403D58 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00403D5B . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00403D5E . 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00403D63 . 68 34554000 PUSH SAVERLAU.00405534 ; |Buffer = SAVERLAU.00405534
00403D68 . E8 3BFFFFFF CALL <JMP.&kernel32.GetSystemDirectoryA> ; GetSystemDirectoryA
00403D6D . B8 D4544000 MOV EAX,SAVERLAU.004054D4
00403D72 . BA 34554000 MOV EDX,SAVERLAU.00405534 ; ASCII "C:WINDOWSSYSTEM"
00403D77 . B9 05010000 MOV ECX,105
00403D7C . E8 43F1FFFF CALL SAVERLAU.00402EC4
00403D81 . B8 E0544000 MOV EAX,SAVERLAU.004054E0
00403D86 . BA 44000000 MOV EDX,44
00403D8B . E8 20FFFFFF CALL SAVERLAU.00403CB0
00403D90 . B8 24554000 MOV EAX,SAVERLAU.00405524
00403D95 . BA 10000000 MOV EDX,10
00403D9A . E8 11FFFFFF CALL SAVERLAU.00403CB0
00403D9F . C705 E0544000>MOV DWORD PTR DS:[4054E0],44
00403DA9 . B8 D8544000 MOV EAX,SAVERLAU.004054D8
00403DAE . B9 283E4000 MOV ECX,SAVERLAU.00403E28 ; ASCII "flashsaver.scr"
00403DB3 . 8B15 D4544000 MOV EDX,DWORD PTR DS:[4054D4]
00403DB9 . E8 62F1FFFF CALL SAVERLAU.00402F20
00403DBE . B8 DC544000 MOV EAX,SAVERLAU.004054DC
00403DC3 . B9 403E4000 MOV ECX,SAVERLAU.00403E40 ; ASCII "/c"
00403DC8 . 8B15 D8544000 MOV EDX,DWORD PTR DS:[4054D8]
00403DCE . E8 4DF1FFFF CALL SAVERLAU.00402F20
00403DD3 . 68 24554000 PUSH SAVERLAU.00405524
00403DD8 . 68 E0544000 PUSH SAVERLAU.004054E0
00403DDD . 6A 00 PUSH 0
00403DDF . 6A 00 PUSH 0
00403DE1 . 6A 00 PUSH 0
00403DE3 . 6A 00 PUSH 0
00403DE5 . 6A 00 PUSH 0
00403DE7 . 6A 00 PUSH 0
00403DE9 . A1 DC544000 MOV EAX,DWORD PTR DS:[4054DC]
00403DEE . E8 A1F1FFFF CALL SAVERLAU.00402F94
00403DF3 . 50 PUSH EAX
00403DF4 . A1 D8544000 MOV EAX,DWORD PTR DS:[4054D8]
00403DF9 . E8 96F1FFFF CALL SAVERLAU.00402F94
00403DFE . 50 PUSH EAX ; |ModuleFileName
00403DFF . E8 9CFEFFFF CALL <JMP.&kernel32.CreateProcessA> ; CreateProcessA--------->这个带过就失去控制权了
这个CALL的各个参数如下:
0063FDF8 00B6002C |ModuleFileName = "C:WINDOWSSYSTEMflashsaver.scr"
0063FDFC 00B6005C |CommandLine = "C:WINDOWSSYSTEMflashsaver.scr/c"
0063FE00 00000000 |pProcessSecurity = NULL
0063FE04 00000000 |pThreadSecurity = NULL
0063FE08 00000000 |InheritHandles = FALSE------------>TRUE表示允许当前进程中的所有句柄都由新建的子进程继承
0063FE0C 00000000 |CreationFlags = 0
0063FE10 00000000 |pEnvironment = NULL--------------->指向一个环境块的指针
0063FE14 00000000 |CurrentDir = NULL----------------->新进程的当前目录路径
0063FE18 004054E0 |pStartupInfo = SAVERLAU.004054E0-->指定一个STARTUPINFO结构,其中包含了创建进程时使用的附加信息
0063FE1C 00405524 pProcessInfo = SAVERLAU.00405524-->该结构用于容纳新进程的进程和线程标识符
所以这个20K的程序基本上就算是一个外壳了
看看正式的东西吧
C:WINDOWSSYSTEMFLASHSAVER.SCR这个保护程序还有一个配置文件:FlashSaver.dat,可以用记事本打开。运行此屏幕保护程序,动一下鼠标就会出现要求注册对话框,但是反汇编这个文件,没有什么可用的东西,尝试改名为.exe文件,运行,嘿嘿,原来还是可执行文件!分析是ASPack2.1的壳,pe-scan脱壳,原来是Delphi5编写的,反汇编查找字符串参考"Registered Code Error",得到如下片断:
{程序好象有花指令,我在OD里面跟踪时的代码和下面的代码有些出入,但是不重要}
:004AFCD8 55 push ebp
:004AFCD9 8BEC mov ebp, esp
:004AFCDB 33C9 xor ecx, ecx
:004AFCDD 51 push ecx
:004AFCDE 51 push ecx
:004AFCDF 51 push ecx
:004AFCE0 51 push ecx
:004AFCE1 51 push ecx
:004AFCE2 51 push ecx
:004AFCE3 8955F8 mov dword ptr [ebp-08], edx
:004AFCE6 8945FC mov dword ptr [ebp-04], eax
:004AFCE9 33C0 xor eax, eax
:004AFCEB 55 push ebp
:004AFCEC 68C2FD4A00 push 004AFDC2
:004AFCF1 64FF30 push dword ptr fs:[eax]
:004AFCF4 648920 mov dword ptr fs:[eax], esp
:004AFCF7 8B45FC mov eax, dword ptr [ebp-04]
:004AFCFA 33D2 xor edx, edx
:004AFCFC 899034020000 mov dword ptr [eax+00000234], edx
:004AFD02 8D55F4 lea edx, dword ptr [ebp-0C]
:004AFD05 8B45FC mov eax, dword ptr [ebp-04]
:004AFD08 8B80E8020000 mov eax, dword ptr [eax+000002E8]
:004AFD0E E87126F8FF call 00432384---------------------------->取输入的注册码
:004AFD13 8B45F4 mov eax, dword ptr [ebp-0C]-------------->输入的注册码
:004AFD16 50 push eax--------------------------------->保存注册码
:004AFD17 8D55F0 lea edx, dword ptr [ebp-10]
:004AFD1A 8B45FC mov eax, dword ptr [ebp-04]
:004AFD1D 8B80E4020000 mov eax, dword ptr [eax+000002E4]
:004AFD23 E85C26F8FF call 00432384---------------------------->取输入的用户名
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFCB9(C)
|
:004AFD28 8B45F0 mov eax, dword ptr [ebp-10]-------------->用户名
:004AFD2B 5A pop edx---------------------------------->输入的注册码
:004AFD2C E8073DFCFF call 00473A38---------------------------->验证◎◎◎◎◎
:004AFD31 84C0 test al, al------------------------------>AL作为标志
:004AFD33 7458 je 004AFD8D------------------------------>为零则跳到错误对话框
:004AFD35 8D55EC lea edx, dword ptr [ebp-14]
:004AFD38 8B45FC mov eax, dword ptr [ebp-04]
:004AFD3B 8B80E8020000 mov eax, dword ptr [eax+000002E8]
:004AFD41 E83E26F8FF call 00432384
:004AFD46 8B45EC mov eax, dword ptr [ebp-14]
:004AFD49 50 push eax
:004AFD4A 8D55E8 lea edx, dword ptr [ebp-18]
:004AFD4D 8B45FC mov eax, dword ptr [ebp-04]
:004AFD50 8B80E4020000 mov eax, dword ptr [eax+000002E4]
:004AFD56 E82926F8FF call 00432384
:004AFD5B 8B45E8 mov eax, dword ptr [ebp-18]
:004AFD5E 5A pop edx
:004AFD5F E8843BFCFF call 004738E8
:004AFD64 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Flash Saver Maker"
|
:004AFD66 68D0FD4A00 push 004AFDD0
* Possible StringData Ref from Data Obj ->"Registered Success"--------------->注册成功对话框
|
:004AFD6B 68E4FD4A00 push 004AFDE4
:004AFD70 8B45FC mov eax, dword ptr [ebp-04]
:004AFD73 E85089F8FF call 004386C8
:004AFD78 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004AFD79 E8227FF5FF Call 00407CA0
:004AFD7E 8B45FC mov eax, dword ptr [ebp-04]
:004AFD81 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001
:004AFD8B EB1A jmp 004AFDA7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFD33(C)---------------------------------------------------------------->从这里跳来
|
:004AFD8D 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Flash Saver Maker"
|
:004AFD8F 68D0FD4A00 push 004AFDD0
* Possible StringData Ref from Data Obj ->"Registered Code Error"------------>注册错误对话框
|
:004AFD94 68F8FD4A00 push 004AFDF8
:004AFD99 8B45FC mov eax, dword ptr [ebp-04]
:004AFD9C E82789F8FF call 004386C8
:004AFDA1 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004AFDA2 E8F97EF5FF Call 00407CA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFD8B(U)
|
:004AFDA7 33C0 xor eax, eax
:004AFDA9 5A pop edx
:004AFDAA 59 pop ecx
:004AFDAB 59 pop ecx
:004AFDAC 648910 mov dword ptr fs:[eax], edx
:004AFDAF 68C9FD4A00 push 004AFDC9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFDC7(U)
|
:004AFDB4 8D45E8 lea eax, dword ptr [ebp-18]
:004AFDB7 BA04000000 mov edx, 00000004
:004AFDBC E8CB40F5FF call 00403E8C
:004AFDC1 C3 ret
:004AFDC2 E9B53AF5FF jmp 0040387C
:004AFDC7 EBEB jmp 004AFDB4
:004AFDC9 8BE5 mov esp, ebp
:004AFDCB 5D pop ebp
:004AFDCC C3 ret
***************************************************************************
***************************************************************************
00473A38 验证◎◎◎◎◎
『返回时如果AL为零则后续会出错』
00473A38 $ 55 PUSH EBP
00473A39 . 8BEC MOV EBP,ESP
00473A3B . 83C4 E8 ADD ESP,-18
00473A3E . 33C9 XOR ECX,ECX
00473A40 . 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00473A43 . 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
00473A46 . 8955 FC MOV DWORD PTR SS:[EBP-4],EDX------------>输入的注册码
00473A49 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX----------->输入的用户名
00473A4C . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00473A4F . E8 4808F9FF CALL 0040429C--------------------------->?
00473A54 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]------------>输入的注册码
00473A57 . E8 4008F9FF CALL 0040429C--------------------------->?
00473A5C . 33C0 XOR EAX,EAX
00473A5E . 55 PUSH EBP
00473A5F . 68 4D3B4700 PUSH 00473B4D
00473A64 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00473A67 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00473A6A . C645 FB 00 MOV BYTE PTR SS:[EBP-5],0
00473A6E . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]----------->输入的注册码
00473A71 . E8 7206F9FF CALL 004040E8-------------------------->取输入注册码的长度
00473A76 . 83F8 10 CMP EAX,10----------------------------->比较长度是否为10h(即16)
00473A79 . 0F85 A3000000 JNZ 00473B22--------------------------->注册码长度必须为10h(即16)位
00473A7F . B2 01 MOV DL,1
00473A81 . A1 342E4700 MOV EAX,DWORD PTR DS:[472E34]---------->ASSII 07,"TBase64"
00473A86 . E8 FDF3FFFF CALL 00472E88
00473A8B . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX---------->保存上面ASCII的地址
00473A8E . 33C0 XOR EAX,EAX
00473A90 . 55 PUSH EBP
00473A91 . 68 1B3B4700 PUSH 00473B1B
00473A96 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00473A99 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00473A9C . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]---------->新地址
00473A9F . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]---------->输入的注册码
00473AA2 . E8 5904F9FF CALL 00403F00------------------------->注册码到上面新地址
00473AA7 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]--------->新地址
00473AAA . E8 B903F9FF CALL 00403E68------------------------->?
00473AAF . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]--------->00000000
00473AB2 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]---------->输入的注册码
00473AB5 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]--------->ASSII 07,"TBase64"
00473AB8 . E8 CFF7FFFF CALL 0047328C------------------------->关键一◎◎◎◎◎
00473ABD . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]--------->关键一的结果----------从这里往下共有4次运算
00473AC0 . B8 643B4700 MOV EAX,00473B64---------------------->是否程序固定("F")
00473AC5 . E8 0A09F9FF CALL 004043D4------------------------->关键二◎◎◎◎◎
00473ACA . 85C0 TEST EAX,EAX-------------------------->EAX作为标志
00473ACC . 74 37 JE SHORT 00473B05--------------------->为零则错误
00473ACE . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]--------->关键一的结果
00473AD1 . B8 703B4700 MOV EAX,00473B70---------------------->是否程序固定("S")
00473AD6 . E8 F908F9FF CALL 004043D4------------------------->关键二◎◎◎◎◎
00473ADB . 85C0 TEST EAX,EAX-------------------------->EAX作为标志
00473ADD . 74 26 JE SHORT 00473B05--------------------->为零则错误
00473ADF . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]--------->关键一的结果
00473AE2 . B8 7C3B4700 MOV EAX,00473B7C---------------------->是否程序固定("Z")
00473AE7 . E8 E808F9FF CALL 004043D4------------------------->关键二◎◎◎◎◎
00473AEC . 85C0 TEST EAX,EAX-------------------------->EAX作为标志
00473AEE . 74 15 JE SHORT 00473B05--------------------->为零则错误
00473AF0 . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]--------->关键一的结果
00473AF3 . B8 883B4700 MOV EAX,00473B88---------------------->是否程序固定("L")
00473AF8 . E8 D708F9FF CALL 004043D4------------------------->关键二◎◎◎◎◎
00473AFD . 85C0 TEST EAX,EAX-------------------------->EAX作为标志
00473AFF . 74 04 JE SHORT 00473B05--------------------->为零则错误
00473B01 . C645 FB 01 MOV BYTE PTR SS:[EBP-5],1
00473B05 > 33C0 XOR EAX,EAX
00473B07 . 5A POP EDX
00473B08 . 59 POP ECX
00473B09 . 59 POP ECX
00473B0A . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00473B0D . 68 223B4700 PUSH 00473B22
00473B12 > 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00473B15 . E8 02F6F8FF CALL 0040311C
00473B1A . C3 RETN
00473B1B .^ E9 5CFDF8FF JMP 0040387C
00473B20 .^ EB F0 JMP SHORT 00473B12
00473B22 > 33C0 XOR EAX,EAX
00473B24 . 5A POP EDX
00473B25 . 59 POP ECX
00473B26 . 59 POP ECX
00473B27 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00473B2A . 68 543B4700 PUSH 00473B54
00473B2F > 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00473B32 . E8 3103F9FF CALL 00403E68
00473B37 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00473B3A . BA 02000000 MOV EDX,2
00473B3F . E8 4803F9FF CALL 00403E8C
00473B44 . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00473B47 . E8 1C03F9FF CALL 00403E68
00473B4C . C3 RETN
00473B4D .^ E9 2AFDF8FF JMP 0040387C
00473B52 .^ EB DB JMP SHORT 00473B2F
00473B54 . 8A45 FB MOV AL,BYTE PTR SS:[EBP-5]
00473B57 . 8BE5 MOV ESP,EBP
00473B59 . 5D POP EBP
00473B5A . C3 RETN
********************************************************************************
********************************************************************************
关键一
0047328C /$ 55 PUSH EBP
0047328D |. 8BEC MOV EBP,ESP
0047328F |. 83C4 D4 ADD ESP,-2C
00473292 |. 53 PUSH EBX
00473293 |. 33DB XOR EBX,EBX
00473295 |. 895D D4 MOV DWORD PTR SS:[EBP-2C],EBX
00473298 |. 895D D8 MOV DWORD PTR SS:[EBP-28],EBX
0047329B |. 895D DC MOV DWORD PTR SS:[EBP-24],EBX
0047329E |. 895D E0 MOV DWORD PTR SS:[EBP-20],EBX
004732A1 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX----------->00000000
004732A4 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX----------->输入的注册码
004732A7 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX----------->ASSII 07,"TBase64"
004732AA |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]----------->输入的注册码
004732AD |. E8 EA0FF9FF CALL UNPACKED.0040429C----------------->
004732B2 |. 33C0 XOR EAX,EAX
004732B4 |. 55 PUSH EBP
004732B5 |. 68 BF344700 PUSH UNPACKED.004734BF
004732BA |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004732BD |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004732C0 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0------------->输入注册码的地址是否为空(是否输入了注册码)
004732C4 |. 75 09 JNZ SHORT UNPACKED.004732CF------------>输入了则跳
004732C6 |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
004732CA |. E9 CD010000 JMP UNPACKED.0047349C
004732CF |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]----------->新地址
004732D2 |. E8 910BF9FF CALL UNPACKED.00403E68----------------->?
004732D7 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]----------->ASSII 07,"TBase64"
004732DA |. 8078 04 00 CMP BYTE PTR DS:[EAX+4],0
004732DE |. 74 19 JE SHORT UNPACKED.004732F9
004732E0 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004732E3 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004732E6 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004732E9 |. E8 DAFEFFFF CALL UNPACKED.004731C8
004732EE |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004732F1 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004732F4 |. E8 070CF9FF CALL UNPACKED.00403F00
004732F9 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004732FC |. E8 E70DF9FF CALL UNPACKED.004040E8---------------->取输入注册码的长度
00473301 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX--------->输入的注册码的长度
00473304 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]--------->注册码的长度
00473307 |. 25 03000080 AND EAX,80000003---------------------->作与运算
0047330C |. 79 05 JNS SHORT UNPACKED.00473313
0047330E |. 48 DEC EAX
0047330F |. 83C8 FC OR EAX,FFFFFFFC
00473312 |. 40 INC EAX
00473313 |> 85C0 TEST EAX,EAX
00473315 |. 74 09 JE SHORT UNPACKED.00473320
00473317 |. C645 F3 03 MOV BYTE PTR SS:[EBP-D],3
0047331B |. E9 7C010000 JMP UNPACKED.0047349C
00473320 |> 33C0 XOR EAX,EAX
00473322 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00473325 |> FF45 EC /INC DWORD PTR SS:[EBP-14]----------->计数器
00473328 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]-------->注册码地址
0047332B |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]------->计数器
0047332E |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1]------>依次可以取注册码的各位
00473332 |. 8845 E4 |MOV BYTE PTR SS:[EBP-1C],AL--------->保存
00473335 |. 8D4D E7 |LEA ECX,DWORD PTR SS:[EBP-19]------->新地址
00473338 |. 8A55 E4 |MOV DL,BYTE PTR SS:[EBP-1C]--------->注册码的某一位
0047333B |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]-------->ASSII 07,"TBase64"
0047333E |. E8 C5FBFFFF |CALL UNPACKED.00472F08-------------->关键运算三◎◎◎
00473343 |. 84C0 |TEST AL,AL-------------------------->作为标志
00473345 |. 75 09 |JNZ SHORT UNPACKED.00473350--------->合法则跳走
00473347 |. C645 F3 02 |MOV BYTE PTR SS:[EBP-D],2
0047334B |. E9 4C010000 |JMP UNPACKED.0047349C--------------->否则跳走
00473350 |> FF45 EC |INC DWORD PTR SS:[EBP-14]----------->计数器+1
00473353 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]-------->注册码地址
00473356 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]------->计数器
00473359 |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1]------>取注册码下一位(相对于上面)
0047335D |. 8845 E4 |MOV BYTE PTR SS:[EBP-1C],AL--------->取得的注册码的某一位
00473360 |. 8D4D E6 |LEA ECX,DWORD PTR SS:[EBP-1A]------->新地址
00473363 |. 8A55 E4 |MOV DL,BYTE PTR SS:[EBP-1C]--------->注册码的某一位
00473366 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]-------->ASSII 07,"TBase64"
00473369 |. E8 9AFBFFFF |CALL UNPACKED.00472F08-------------->关键运算三◎◎◎
0047336E |. 84C0 |TEST AL,AL-------------------------->作为标志
00473370 |. 75 09 |JNZ SHORT UNPACKED.0047337B--------->合法则跳走
00473372 |. C645 F3 02 |MOV BYTE PTR SS:[EBP-D],2
00473376 |. E9 21010000 |JMP UNPACKED.0047349C--------------->否则跳走
0047337B |> 8A45 E7 |MOV AL,BYTE PTR SS:[EBP-19]--------->首位运算三的结果
0047337E |. C1E0 02 |SHL EAX,2--------------------------->逻辑左移2位
00473381 |. 33D2 |XOR EDX,EDX------------------------->EDX清零为下面作准备
00473383 |. 8A55 E6 |MOV DL,BYTE PTR SS:[EBP-1A]--------->第二位运算三的结果
00473386 |. C1EA 04 |SHR EDX,4--------------------------->逻辑右移4位
00473389 |. 02C2 |ADD AL,DL--------------------------->加法
0047338B |. 8845 E5 |MOV BYTE PTR SS:[EBP-1B],AL--------->【保存结果】
0047338E |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]------->【新地址】
00473391 |. 8A55 E5 |MOV DL,BYTE PTR SS:[EBP-1B]--------->运算结果
00473394 |. E8 770CF9FF |CALL UNPACKED.00404010-------------->保存运算结果于上面的地址
00473399 |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24]------->运算结果
0047339C |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]-------->
0047339F |. E8 4C0DF9FF |CALL UNPACKED.004040F0
004733A4 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]-------->
004733A7 |. FF45 EC |INC DWORD PTR SS:[EBP-14]----------->计数器+1
004733AA |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]-------->注册码地址
004733AD |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]------->计数器
004733B0 |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1]------>取注册码的下一位(相对于上面)
004733B4 |. 8845 E4 |MOV BYTE PTR SS:[EBP-1C],AL--------->取得的这一位注册码
004733B7 |. 807D E4 24 |CMP BYTE PTR SS:[EBP-1C],24--------->取得的这位字符与"$"比较
004733BB |. 75 27 |JNZ SHORT UNPACKED.004733E4--------->不相等则跳
004733BD |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004733C0 |. 48 |DEC EAX
004733C1 |. 3B45 EC |CMP EAX,DWORD PTR SS:[EBP-14]
004733C4 |. 74 09 |JE SHORT UNPACKED.004733CF
004733C6 |. C645 F3 04 |MOV BYTE PTR SS:[EBP-D],4
004733CA |. E9 CD000000 |JMP UNPACKED.0047349C
004733CF |> 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
004733D2 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
004733D5 |. 803C10 24 |CMP BYTE PTR DS:[EAX+EDX],24
004733D9 |. 74 50 |JE SHORT UNPACKED.0047342B
004733DB |. C645 F3 05 |MOV BYTE PTR SS:[EBP-D],5
004733DF |. E9 B8000000 |JMP UNPACKED.0047349C
004733E4 |> 8D4D E7 |LEA ECX,DWORD PTR SS:[EBP-19]------>再取新地址
004733E7 |. 8A55 E4 |MOV DL,BYTE PTR SS:[EBP-1C]-------->取得的这位注册码
004733EA |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]------->ASSII 07,"TBase64"
004733ED |. E8 16FBFFFF |CALL UNPACKED.00472F08------------->关键运算三◎◎◎
004733F2 |. 84C0 |TEST AL,AL------------------------->作为标志
004733F4 |. 75 09 |JNZ SHORT UNPACKED.004733FF-------->合法则跳走
004733F6 |. C645 F3 02 |MOV BYTE PTR SS:[EBP-D],2
004733FA |. E9 9D000000 |JMP UNPACKED.0047349C
004733FF |> 8A45 E6 |MOV AL,BYTE PTR SS:[EBP-1A]-------->第二位的结果
00473402 |. C1E0 04 |SHL EAX,4-------------------------->逻辑左移4位
00473405 |. 33D2 |XOR EDX,EDX------------------------>EDX清零作准备
00473407 |. 8A55 E7 |MOV DL,BYTE PTR SS:[EBP-19]-------->第三位的结果
0047340A |. C1EA 02 |SHR EDX,2-------------------------->逻辑右移2位
0047340D |. 02C2 |ADD AL,DL-------------------------->结果相加
0047340F |. 8845 E5 |MOV BYTE PTR SS:[EBP-1B],AL-------->【保存结果】
00473412 |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]------>【新地址】
00473415 |. 8A55 E5 |MOV DL,BYTE PTR SS:[EBP-1B]-------->前面三位的运算结果
00473418 |. E8 F30BF9FF |CALL UNPACKED.00404010------------->结果保存于上面的新地址
0047341D |. 8B55 D8 |MOV EDX,DWORD PTR SS:[EBP-28]------>前面三位的运算结果
00473420 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]------->前两位的运算结果
00473423 |. E8 C80CF9FF |CALL UNPACKED.004040F0------------->上面两个结果连在一起
00473428 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]------->上面两个结果连接后的结果
0047342B |> FF45 EC |INC DWORD PTR SS:[EBP-14]---------->计数器+1
0047342E |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]------->输入的注册码
00473431 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]------>计数器
00473434 |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1]----->取下一位注册码
00473438 |. 8845 E4 |MOV BYTE PTR SS:[EBP-1C],AL-------->保存结果
0047343B |. 807D E4 24 |CMP BYTE PTR SS:[EBP-1C],24-------->取得的这位字符于"$"比较
0047343F |. 75 0E |JNZ SHORT UNPACKED.0047344F-------->不相等则跳
00473441 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00473444 |. 3B45 E8 |CMP EAX,DWORD PTR SS:[EBP-18]
00473447 |. 74 43 |JE SHORT UNPACKED.0047348C
00473449 |. C645 F3 04 |MOV BYTE PTR SS:[EBP-D],4
0047344D |. EB 4D |JMP SHORT UNPACKED.0047349C
0047344F |> 8D4D E6 |LEA ECX,DWORD PTR SS:[EBP-1A]----->再取新地址
00473452 |. 8A55 E4 |MOV DL,BYTE PTR SS:[EBP-1C]------->取得的这位字符
00473455 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]------>ASSII 07,"TBase64"
00473458 |. E8 ABFAFFFF |CALL UNPACKED.00472F08------------>关键运算三◎◎◎
0047345D |. 84C0 |TEST AL,AL------------------------>作为标志
0047345F |. 75 06 |JNZ SHORT UNPACKED.00473467------->合法则跳走
00473461 |. C645 F3 02 |MOV BYTE PTR SS:[EBP-D],2
00473465 |. EB 35 |JMP SHORT UNPACKED.0047349C
00473467 |> 8A45 E7 |MOV AL,BYTE PTR SS:[EBP-19]------->第三位运算的结果
0047346A |. C1E0 06 |SHL EAX,6------------------------->逻辑左移6位
0047346D |. 0245 E6 |ADD AL,BYTE PTR SS:[EBP-1A]------->结果相加
00473470 |. 8845 E5 |MOV BYTE PTR SS:[EBP-1B],AL------->【保存结果】
00473473 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]----->【新地址】
00473476 |. 8A55 E5 |MOV DL,BYTE PTR SS:[EBP-1B]------->运算结果
00473479 |. E8 920BF9FF |CALL UNPACKED.00404010------------>保存于上面的新地址
0047347E |. 8B55 D4 |MOV EDX,DWORD PTR SS:[EBP-2C]----->运算结果
00473481 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]------>前面几位的运算结果
00473484 |. E8 670CF9FF |CALL UNPACKED.004040F0------------>连接到一起
00473489 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]------>连接后的结果-------->◎◎
0047348C |> 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]----->计数器
0047348F |. 3B45 E8 |CMP EAX,DWORD PTR SS:[EBP-18]----->计数器的值和注册码的长度比较
00473492 |.^ 0F8C 8DFEFFFF JL UNPACKED.00473325-------------->没有结束则跳到上面继续进行运算
00473498 |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0
0047349C |> 33C0 XOR EAX,EAX
0047349E |. 5A POP EDX
0047349F |. 59 POP ECX
004734A0 |. 59 POP ECX
004734A1 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004734A4 |. 68 C6344700 PUSH UNPACKED.004734C6
004734A9 |> 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
004734AC |. BA 04000000 MOV EDX,4
004734B1 |. E8 D609F9FF CALL UNPACKED.00403E8C
004734B6 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004734B9 |. E8 AA09F9FF CALL UNPACKED.00403E68
004734BE . C3 RETN
004734BF .^ E9 B803F9FF JMP UNPACKED.0040387C
004734C4 .^ EB E3 JMP SHORT UNPACKED.004734A9
004734C6 . 8A45 F3 MOV AL,BYTE PTR SS:[EBP-D]
004734C9 . 5B POP EBX
004734CA . 8BE5 MOV ESP,EBP
004734CC . 5D POP EBP
004734CD . C3 RETN
本端对输入的16位注册码分4次循环分别进行运算,第四次到◎◎时,下指令d [eax]得到的结果就是关键运算一的结果,具体计算过程描述如下(以第一次循环为例):
ASCII表示 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
取输入注册码的首位,计算其在ASCII中的位置(首位位置为0),然后计算如下:
①:首位的位置值×4+第二位的位置值÷16
②:第二位的位置值×16+第三位的位置值÷4
③:①和②连接保存到一个新地址
④:第三位的结果×64+第四位的位置值
连接③和④地结果
内存中形式如下:① ② ④
我输入注册码后,四次循环时内存中内容分别如下:
01E21054 F7 CD B5 00 1E 00 00 00 01 00 00 00 0C 00 00 00 魍?..........
01E140BC F7 CD B5 D3 5D F5 00 00 6A 00 00 00 08 D9 42 00 魍涤]?.j...貰.
01E27864 F7 CD B5 D3 5D F5 DB 7E 39 00 00 00 1A 00 00 00 魍涤]踣~9......
01E1FE10 F7 CD B5 D3 5D F5 DB 7E 39 EB BD 78 00 00 00 00 魍涤]踣~9虢x....
最后返回第四次循环后的值
------------------------------------------------------------------------------------------------
关键二
『前面关键运算一根据输入的注册码得出一个结果,本段总共调用4次,每次比较一个字符,分别为"F"、"S"、"Z"、"L"关键一运算的结果里面必须含有这四个字符。』
『返回时EAX不可为零』
004043D4 /$ 85C0 TEST EAX,EAX---------------------------------->程序固定??
004043D6 |. 74 40 JE SHORT UNPACKED.00404418-------------------->不可为空
004043D8 |. 85D2 TEST EDX,EDX---------------------------------->关键一的结果
004043DA |. 74 31 JE SHORT UNPACKED.0040440D-------------------->不可为空
004043DC |. 53 PUSH EBX-------------------------
004043DD |. 56 PUSH ESI |保存
004043DE |. 57 PUSH EDI-------------------------/
004043DF |. 89C6 MOV ESI,EAX-----------------------------------初始化
004043E1 |. 89D7 MOV EDI,EDX-----------------------------------/
004043E3 |. 8B4F FC MOV ECX,DWORD PTR DS:[EDI-4]------------------>
004043E6 |. 57 PUSH EDI-------------------------------------->关键一的结果
004043E7 |. 8B56 FC MOV EDX,DWORD PTR DS:[ESI-4]------------------>
004043EA |. 4A DEC EDX--------------------------------------->EDX=EDX-1
004043EB |. 78 1B JS SHORT UNPACKED.00404408
004043ED |. 8A06 MOV AL,BYTE PTR DS:[ESI]---------------------->程序固定
004043EF |. 46 INC ESI--------------------------------------->指向下一个地址
004043F0 |. 29D1 SUB ECX,EDX----------------------------------->作减法运算
004043F2 |. 7E 14 JLE SHORT UNPACKED.00404408------------------->小于等于零则返回(出错)
004043F4 |> F2:AE /REPNE SCAS BYTE PTR ES:[EDI]----------------->关键一的结果中查找程序固定值
004043F6 |. 75 10 |JNZ SHORT UNPACKED.00404408------------------>不相等返回(关键一中没有则出错)
004043F8 |. 89CB |MOV EBX,ECX
004043FA |. 56 |PUSH ESI
004043FB |. 57 |PUSH EDI
004043FC |. 89D1 |MOV ECX,EDX
004043FE |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]-->比较
00404400 |. 5F |POP EDI
00404401 |. 5E |POP ESI
00404402 |. 74 0C |JE SHORT UNPACKED.00404410-------------------->为零跳走
00404404 |. 89D9 |MOV ECX,EBX
00404406 |.^ EB EC JMP SHORT UNPACKED.004043F4
00404408 |> 5A POP EDX---------------------------------->跳到这里也是EAX清零返回
00404409 |. 31C0 XOR EAX,EAX
0040440B |. EB 08 JMP SHORT UNPACKED.00404415
0040440D |> 31C0 XOR EAX,EAX------------------------------>如果跳到这里则EAX清零返回
0040440F |. C3 RETN
00404410 |> 5A POP EDX-------------------
00404411 |. 89F8 MOV EAX,EDI |这里对EAX的值由影响
00404413 |. 29D0 SUB EAX,EDX---------------/
00404415 |> 5F POP EDI
00404416 |. 5E POP ESI
00404417 |. 5B POP EBX
00404418 > C3 RETN
****************************************************************************************************
----------------------------------------------------------------------------------------------------
****************************************************************************************************
关键运算三◎◎◎
『返回后AL不能为零』
『以下一段以取注册码首位时的情况分析,其他各位类似』
『进入本段时ECX为关键地址,此地址将保存本段的最后运算结果』
00472F08 /$ 55 PUSH EBP
00472F09 |. 8BEC MOV EBP,ESP
00472F0B |. 81C4 ECFEFFFF ADD ESP,-114
00472F11 |. 53 PUSH EBX
00472F12 |. 33DB XOR EBX,EBX
00472F14 |. 899D ECFEFFFF MOV DWORD PTR SS:[EBP-114],EBX---------------->初始化
00472F1A |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX------------------>【关键地址】
00472F1D |. 8855 FB MOV BYTE PTR SS:[EBP-5],DL-------------------->注册码的首位
00472F20 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX------------------>ASSII 07,"TBase64"
00472F23 |. 33C0 XOR EAX,EAX
00472F25 |. 55 PUSH EBP
00472F26 |. 68 9A2F4700 PUSH UNPACKED.00472F9A
00472F2B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00472F2E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00472F31 |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1-------------------->※※初始化
00472F35 |. 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:[EBP-114]--------------->新地址 2
00472F3B |. 8A55 FB MOV DL,BYTE PTR SS:[EBP-5]------------------->注册码的首位
00472F3E |. E8 CD10F9FF CALL UNPACKED.00404010----------------------->保存于新地址 2
00472F43 |. 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114]--------------->保存的注册码的首位
00472F49 |. 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]--------------->取新地址
00472F4F |. B9 FF000000 MOV ECX,0FF---------------------------------->初始化ECX
00472F54 |. E8 6B11F9FF CALL UNPACKED.004040C4----------------------->?
00472F59 |. 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]--------------->取上面结果(第一位为标志,第2位为首位注册码)
00472F5F |. BA 30474D00 MOV EDX,UNPACKED.004D4730-------------------->ASCII 40,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
00472F64 |. E8 C7FBF8FF CALL UNPACKED.00402B30----------------------->关键运算四◎◎
00472F69 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]----------------->EDX取关键地址
00472F6C |. 8802 MOV BYTE PTR DS:[EDX],AL--------------------->AL的内容保存到关键地址
00472F6E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]----------------->EAX取关键地址的内容
00472F71 |. 8038 00 CMP BYTE PTR DS:[EAX],0---------------------->运算结果不可为零
00472F74 |. 75 06 JNZ SHORT UNPACKED.00472F7C------------------>如果这里不跳,下面地址将置零,返回后出错
00472F76 |. C645 F3 00 MOV BYTE PTR SS:[EBP-D],0-------------------->※※
00472F7A |. EB 05 JMP SHORT UNPACKED.00472F81
00472F7C |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]----------------->EAX取关键地址
00472F7F |. FE08 DEC BYTE PTR DS:[EAX]------------------------>关键地址的内容-1
00472F81 |> 33C0 XOR EAX,EAX
00472F83 |. 5A POP EDX
00472F84 |. 59 POP ECX
00472F85 |. 59 POP ECX
00472F86 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00472F89 |. 68 A12F4700 PUSH UNPACKED.00472FA1
00472F8E |> 8D85 ECFEFFFF LEA EAX,DWORD PTR SS:[EBP-114]---------------->EAX为注册码首位地址
00472F94 |. E8 CF0EF9FF CALL UNPACKED.00403E68------------------------>
00472F99 . C3 RETN
00472F9A .^E9 DD08F9FF JMP UNPACKED.0040387C
00472F9F .^ EB ED JMP SHORT UNPACKED.00472F8E
00472FA1 . 8A45 F3 MOV AL,BYTE PTR SS:[EBP-D]--------------------->※※使用这个内容返回给AL
00472FA4 . 5B POP EBX
00472FA5 . 8BE5 MOV ESP,EBP
00472FA7 . 5D POP EBP
00472FA8 . C3 RETN
【本段总结】一旦关键运算四明白了之后,这里就比较明确了。本段把由关键四取得的首位注册码在ASCII"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"中的地位位数-1后保存在【关键地址】中(可以理解为ASCII字符串下标从零开始计算)。
----------------------------------------------------------------------------------------------------
关键运算四◎◎
『本段的关键也是EAX,返回时AL不能为零』
『以注册码首位为例分析』
『本段解释中ASCII码是指ASCII 40,"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"』
00402B30 /$ 53 PUSH EBX
00402B31 |. 56 PUSH ESI
00402B32 |. 57 PUSH EDI
00402B33 |. 89C6 MOV ESI,EAX--------------------------->本段上面的一个运算(第一位为标志,第二位为首位注册码)
00402B35 |. 89D7 MOV EDI,EDX--------------------------->ASCII码
00402B37 |. 31C9 XOR ECX,ECX--------------------------->ECX清零
00402B39 |. 8A0F MOV CL,BYTE PTR DS:[EDI]-------------->取首位“40”(16进制)
00402B3B |. 47 INC EDI------------------------------->指向ASCII码下一位
00402B3C |. 57 PUSH EDI------------------------------>入栈
00402B3D |. 31D2 XOR EDX,EDX--------------------------->EDX清零
00402B3F |. 8A16 MOV DL,BYTE PTR DS:[ESI]-------------->其前的运算结果的标志位
00402B41 |. 46 INC ESI------------------------------->ESI指向注册码首位
00402B42 |. 4A DEC EDX------------------------------->这里测试标志位的值!如果标志位为零则下面跳走
00402B43 |. 78 1B JS SHORT UNPACKED.00402B60------------>这里跳走则错
00402B45 |. 8A06 MOV AL,BYTE PTR DS:[ESI]-------------->AL取注册码的首位
00402B47 |. 46 INC ESI------------------------------->ESI指向下一位
00402B48 |. 29D1 SUB ECX,EDX--------------------------->扫描次数(40h-(注册码首位前的标志位-1)=40h)
00402B4A |. 7E 14 JLE SHORT UNPACKED.00402B60----------->减法的结果不能小于等于零
00402B4C |> F2:AE /REPNE SCAS BYTE PTR ES:[EDI]--------->在ASCII码(去掉首位)中扫描注册码的首位
00402B4E |. 75 10 |JNZ SHORT UNPACKED.00402B60---------->在注册码中没有(即输入的注册码字符特殊)则跳走,则错误
00402B50 |. 89CB |MOV EBX,ECX
00402B52 |. 56 |PUSH ESI
00402B53 |. 57 |PUSH EDI
00402B54 |. 89D1 |MOV ECX,EDX----------------->如果注册码首位前的标志位为1,则此时为零,所以循环次数为零
00402B56 |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]-->串比较
00402B58 |. 5F |POP EDI
00402B59 |. 5E |POP ESI
00402B5A |. 74 09 |JE SHORT UNPACKED.00402B65---------->这里跳到下面
00402B5C |. 89D9 |MOV ECX,EBX
00402B5E |.^ EB EC JMP SHORT UNPACKED.00402B4C
00402B60 |> 5A POP EDX----------->如果从这里返回则EAX为零,后面出错
00402B61 |. 31C0 XOR EAX,EAX
00402B63 |. EB 05 JMP SHORT UNPACKED.00402B6A
00402B65 |> 5A POP EDX------------------------------>EDX恢复为指向ASCII码首位("A")
00402B66 |. 89F8 MOV EAX,EDI-------------------------->EDI的值为注册码首位在ASCII码(去掉首位)中的位置的下一位
00402B68 |. 29D0 SUB EAX,EDX-------------------------->求差值
00402B6A |> 5F POP EDI
00402B6B |. 5E POP ESI
00402B6C |. 5B POP EBX
00402B6D . C3 RETN
【本段总结】本段取得注册码的首位字符在字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"中的位置,位置值保存于EAX
计算中需要的数据如下:
数据1:
F S Z L
46 53 5A 4C
数据2:
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
(位置号从0开始计算)
因为跟踪中发现每4位注册码作为一个循环,运算后每4位注册码生成6位,我们就组合这个数值,假设首位的位置值为a,第二位的位置值为b,第三位的位置值为c,第四位的位置值为d:
第一次循环:
46h=70=4a+b/16或者46h=70=b*16+c/4或者46h=70=c*64+d
此时取a=17,b=32 或者 c=1,d=4 或者 b=4,c=24
即取前四位注册码为: Rg** 或者 **BE 或者 *EY* (注意大小写)
第二次循环:
53h=83=4a+b/16或者53h=83=b*16+c/4或者53h=83=c*64+d
此时取 a=20,b=48 或者 b=5,c=12 或者 c=1,d=19
即注册码第5~8位为:Uw** 或者 *FM* 或者 **BT (注意大小写)
第三次循环:
5Ah=90=4a+b/16或者5Ah=90=b*16+c/4或者5Ah=90=c*64+d
此时取:a=22,b=32 或者 b=5,c=40 或者 c=1,d=26
即注册码9~12位为:Wg** 或者 *Fo* 或者 **Ba (注意大小写)
第四次循环:
4Ch=76=4a+b/16或者4Ch=76=b*16+c/4或者4Ch=76=c*64+d
此时取:a=18,b=64 或者 b=4,c=48 或者 c=1,d=12
即注册码13~16位为:S?** 或者 *Ew* 或者 **BM (注意大小写)
ASCII字符串最高位为63,所以最后4位注册码只有两种可能性。
所以根据以上各个要求组合出来的注册码就可以使用了